search for: config_bridge_netfilt

Hi Dave, The patch below lets the bridge compile when CONFIG_BRIDGE_NETFILTER isn't enabled. This patch is an update of M.J. Miroslaw's patch that arrived through private mail. cheers, Bart --- linux-2.6.0-test10/net/bridge/br.c.old Wed Nov 26 01:28:16 2003 +++ linux-2.6.0-test10/net/bridge/br.c Wed Nov 26 01:31:54 2003 @@ -32,7 +32,7 @@ int (*br_should_route_hoo...

Hi, I have just configured a Linux box with kernel 2.6.16.7 and configured two ethernet interfaces (with MTU 1500) in bridge mode. CONFIG_BRIDGE_NETFILTER is enabled. The problem is that ping -s 1500 192.168.0.2 doesn't work from 192.168.0.1 if the systems are separated by the bridge. Normal ping with smaller packet size works ok. What is wrong? Best Regards Fulvio Ricciardi

...becomes VLAN, the Ethernet header pointer should be updated correctly. Also, the network header pointer should now point to the VLAN header. This code is needed for the code in br_netfilter.c to work, without it things will get more complicated inside br_netfilter.c. I can put it between an #ifdef CONFIG_BRIDGE_NETFILTER if you like, but I think that to keep the skb correct these changes should always happen. - {arp,ip}tables can filter the VLAN tagged packets thanks to some playing around with the skb->data and skb->nh.raw pointer inside br_netfilter.c. When br0.1000 (or the like) exists, this is what hap...

...virt7/xen-kernel/pull/18 > > > > Hi Karl, I've build and tested your PR, but without the GCC7 patch, and > > when I've tested it on el6, none of the guests had network access. > > I had to revert the bridge changes to have them working > > (CONFIG_BRIDGE_NETFILTER=m and CONFIG_BRIDGE=m). > > > > Why did you want the BRIDGE built-in instead of a module? > > > > Maybe you have something to setup the bridge (probably filter) properly, > > or maybe something is different in the xen package between el6 and el7. &gt...

...t; I updated my PR: https://github.com/CentOS-virt7/xen-kernel/pull/18 > > Hi Karl, I've build and tested your PR, but without the GCC7 patch, and > when I've tested it on el6, none of the guests had network access. > I had to revert the bridge changes to have them working > (CONFIG_BRIDGE_NETFILTER=m and CONFIG_BRIDGE=m). > > Why did you want the BRIDGE built-in instead of a module? > > Maybe you have something to setup the bridge (probably filter) properly, > or maybe something is different in the xen package between el6 and el7. > Any idea? > > I still have to inve...

...> Hi Karl, I've build and tested your PR, but without the GCC7 > patch, and > > > > when I've tested it on el6, none of the guests had network > access. > > > > I had to revert the bridge changes to have them working > > > > (CONFIG_BRIDGE_NETFILTER=m and CONFIG_BRIDGE=m). > > > > > > > > Why did you want the BRIDGE built-in instead of a module? > > > > > > > > Maybe you have something to setup the bridge (probably filter) > properly, > > > > or maybe something is...

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=400 ------- Additional Comments From kaber@trash.net 2006-01-25 12:55 MET ------- Please add a LOG rule to PRE_ROUTING in the mangle table and post the output. BTW, are you using hardware checksumming (check with ethtool) on the underlying ethernet device? -- Configure bugmail:

On Wed, Feb 27, 2019 at 4:44 AM Pasi K?rkk?inen <pasik at iki.fi> wrote: > Hi, > > On Mon, Feb 11, 2019 at 12:49:30PM +0200, Pasi K?rkk?inen wrote: > > Hi, > > > > On Sun, Feb 10, 2019 at 10:35:56PM -0500, Karl Johnson wrote: > > > Hello, > > > I built 4.9.155 for both el6 and el7, you can test them here: > > > [1] >

...t get released. > > I updated my PR: https://github.com/CentOS-virt7/xen-kernel/pull/18 Hi Karl, I've build and tested your PR, but without the GCC7 patch, and when I've tested it on el6, none of the guests had network access. I had to revert the bridge changes to have them working (CONFIG_BRIDGE_NETFILTER=m and CONFIG_BRIDGE=m). Why did you want the BRIDGE built-in instead of a module? Maybe you have something to setup the bridge (probably filter) properly, or maybe something is different in the xen package between el6 and el7. Any idea? I still have to investigate the Xen pkg, and have a close...

...ttps://github.com/CentOS-virt7/xen-kernel/pull/18 > > Hi Karl, I've build and tested your PR, but without the GCC7 patch, and > when I've tested it on el6, none of the guests had network access. > I had to revert the bridge changes to have them working > (CONFIG_BRIDGE_NETFILTER=m and CONFIG_BRIDGE=m). > > Why did you want the BRIDGE built-in instead of a module? > > Maybe you have something to setup the bridge (probably filter) properly, > or maybe something is different in the xen package between el6 and el7. > Any idea? > &g...

...> > > > > > Hi Karl, I've build and tested your PR, but without the GCC7 patch, and > > > when I've tested it on el6, none of the guests had network access. > > > I had to revert the bridge changes to have them working > > > (CONFIG_BRIDGE_NETFILTER=m and CONFIG_BRIDGE=m). > > > > > > Why did you want the BRIDGE built-in instead of a module? > > > > > > Maybe you have something to setup the bridge (probably filter) properly, > > > or maybe something is different in the xen package...

Hi, I have just configured a Linux box with kernel 2.6.16.7 and configured two ethernet interfaces (with MTU 1500) in bridge mode. CONFIG_BRIDGE_NETFILTER is enabled. The problem is that ping -s 1500 192.168.0.2 doesn't work from 192.168.0.1 if the systems are separated by the bridge. Normal ping with smaller packet size works ok. What is wrong? Best Regards Fulvio Ricciardi

...all! I'm trying to make a transparent shaper with kernel 2.6.11 I have done this and used it many times on 2.4.25 kernel and ebtables-brnf-5_vs_2.4.25.diff On 2.4.25 I have been using U32 classifiers and HTB. On 2.6.11 even with : newserver ~ # zcat /proc/config.gz | grep -i BRIDGE_NETFILTER CONFIG_BRIDGE_NETFILTER=y newserver ~ # ls /proc/sys/net/bridge/ bridge-nf-call-arptables bridge-nf-call-ip6tables bridge-nf-call-iptables bridge-nf-filter-vlan-tagged newserver ~ # cat /proc/sys/net/bridge/* 1 1 1 1 I'm still not succeeding ti shape the traffic on the bridge interface Any ideas please???

...t; function from kernel to skb_util.c because pulling in the data will rise a "BUG_ON" in the kernel. - the skb_buff is not always possible to modify. (vnet_forward.c and etherip.c) The code now work''s.. I think with no or less time-penalty. Info for kernel-option CONFIG_BRIDGE_NETFILTER : There is a race-condition in the code (nf_iterate), which will kill the kernel. With hyperthreading and vnet over 2 Server a scp will kill it in less 1 (one) second. Blocking hyperthreading the same will work less then 30 seconds. Dropping the bridge- netfilter code, no error''s in 3 ho...

...order to be able to use these patches? I''m using a vanilla kernel 2.6.21.7 with the following patches: - IMQ - Layer 7 - Julian''s route patches (version for kernel 2.6.21) relevant parts of .config: CONFIG_IP_ROUTE_MULTIPATH=y # CONFIG_IP_ROUTE_MULTIPATH_CACHED is not set ... # CONFIG_BRIDGE_NETFILTER is not set # CONFIG_BRIDGE_NF_EBTABLES is not set CONFIG_BRIDGE=m Thanks for any help, François.

I have seen and responded to many different bridging related firewalling questions as of late. There seems to be a common assumption that IPTables does not and / or can not see bridged traffic. This is not the case. If you enable the "Bridged IP/ARP packets filtering" (CONFIG_BRIDGE_NETFILTER) option IPTables can see and act on bridged traffic. If this is turned on and you have a default filter:FORWARD policy of DENY, or a catch all rule of DENY, you will need to explicitly allow bridged traffic to be forwarded. (excerpt from menuconfig) "Enabling this option will let arptab...

...I've build and tested your PR, but without the GCC7 >> patch, and >> > > > when I've tested it on el6, none of the guests had network >> access. >> > > > I had to revert the bridge changes to have them working >> > > > (CONFIG_BRIDGE_NETFILTER=m and CONFIG_BRIDGE=m). >> > > > >> > > > Why did you want the BRIDGE built-in instead of a module? >> > > > >> > > > Maybe you have something to setup the bridge (probably filter) >> properly, >> > > >...

...int br_dev_queue_push_xmit(struct sk_buff *skb) { - if (skb->len > skb->dev->mtu) + /* drop mtu oversized packets except tso */ + if (skb->len > skb->dev->mtu && !skb_shinfo(skb)->tso_size) kfree_skb(skb); else { #ifdef CONFIG_BRIDGE_NETFILTER

...idge/br_private.h index 2119729ded2b..64fb359c6e3e 100644 --- a/net/bridge/br_private.h +++ b/net/bridge/br_private.h @@ -494,6 +494,8 @@ struct net_bridge { #endif struct rhashtable fdb_hash_tbl; + u32 fdb_n_entries; + u32 fdb_max_entries; struct list_head port_list; #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) union { -- 2.40.1

...idge { > #endif > > struct rhashtable fdb_hash_tbl; > + u32 fdb_n_entries; > + u32 fdb_max_entries; These are not critical, so I'd use 4 byte holes in net_bridge and pack it better instead of making it larger. > struct list_head port_list; > #if IS_ENABLED(CONFIG_BRIDGE_NETFILTER) > union {